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“The  somewhat  debatable  role  of  goto  statements  in  practical  programming 
is  reflected  in  their  theoretical  properties,  in  that  in  the  treatment  both  of 
their  semantics  and  their  correctness  we  are  confronted  with  difficulties  of 
a  nature  not  previously  encountered From  J.  de  Bakker.  Mathematical 
Theory  of  Program  Correctness.  Chapter  10.  Prentice-Hall,  1980. 


0.  INTRODUCTION 

In  this  note,  we  generalize  the  concept  of  function  composition.  We  introduce  the  notion  of  conditional 
composition  of  functions,  and  develop  a  theory  of  such  compositions.  We  also  introduce  a  conditional  replace 
operator,  which  can  be  used  to  define  conditional  composition  in  terms  of  ordinary  function  composition. 

We  show  how  these  concepts  can  be  used  in  four  application  areas:  program  semantics;  programming 
languages;  databases;  embedded  systems.  In  particular,  we  show  how  exceptions  can  be  described  in  terms 
of  the  IF  statement,  and  how  conditional  composition  can  be  used  to  describe  other  programming  language 
constructs  like  a  jump  statement  and  a  loop  exit.  Contrary  to  what  the  quotation  given  above  suggests, 
we  show  that  goto  statements  are  not  very  different  from  the  IF  statement.  We  relate  the  conditional 
composition  operator  to  concepts  from  relational  algebra  in  databases,  and  show  how  conditional  composition 
can  be  used  to  describe  an  embedded  system  with  various  priority  levels. 


1.  THEORY  OF  CONDITIONAL  COMPOSITION 

We  generalize  the  concept  of  function  composition  to  conditional  function  composition.  To  enable  us 
to  do  so,  we  first  introduce  a  notation  for  tagged  collections,  which  can  be  used  to  represent  lists,  arrays,  or 
any  other  labeled  collection  of  objects. 

Our  proof  format  is  from  [4].  We  use  [  ]  for  everywhere  brackets,  which  denote  universal  quantification 
over  the  state  space,  and  the  infix  dot  to  denote  function  application. 

1.0.  TAGGED  COLLECTIONS 

A  quantifier  Q  is  defined  by  a  triple  (*,  u,f)  where  *  is  an  associative  and  symmetric  operator  from 
D  x  D  — *■  D,  u  is  the  unit  element  of*,  and  /  is  a  function  from  T  — *■  D  (cf.  [6]).  A  quantified  expression, 
(or  quantifier)  is  an  expression  of  the  form: 

( Q  x  |  r.x  t>  t.x) 

where  x  is  an  unordered  list  of  identifier  names  (dummies),  r.x  (the  range)  is  a  predicate,  and  t.x  (the  term) 
is  an  expression  of  some  type  T.  When  r.x  is  true  everywhere  or  understood,  we  omit  the  range  and  write 
the  quantification  as: 

(Q  x  o  t.x ) 

Informally,  if  the  set  of  all  values  x  for  which  r.x  holds  is  {  xq  .  xi . ... ,  X/- } ,  then  the  value  of  the  quantified 
expression  is  u  -k  f  .x o  k  f  ,x\  k  ■  ■  ■  k  f  .x^.  For  example,  summation  can  be  written  as  the  quantifier  (+,  0,  id), 
where  id  is  the  identity  function.  Another  common  quantifier  is  the  set  constructor,  which  is  the  triple 
S  =  (U,  0,  {}) ,  where  function  {}  is  defined  by  the  relation  {}.x  =  {x}.  We  write  the  set  constructor  as 
{x  I  r.x  f>  t.x}  instead  of  (S  x  I  r.x  >  t.x). 
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We  use  quantification  to  denote  a  tagged  collection.  We  represent  an  element  in  the  tagged  collection 
by  (i:  x),  where  i  is  the  index  of  the  element,  and  x  is  the  value  tagged  by  i.  We  use  0  to  denote  an  empty 
collection,  which  has  the  property  that  0  U  l  =  l  for  any  l.  Formally,  we  define  jj  to  be  the  quantifier 
(U,  0,  id).  U  is  an  operator  analogous  to  the  disjoint  set  union  operator,  often  written  l+J.  An  element  (i:x) 
is  contained  in  10  U  /I  just  when  it  is  contained  in  either  10  or  11. 

An  indexed  collection  of  objects  has  an  additional  property,  namely  that  given  an  index,  the  element 
associated  with  that  index  is  uniquely  defined.  Therefore,  we  restrict  U  in  the  following  manner:  given  10 
and  11,  10  U  /I  is  defined  if  and  only  if  the  index  sets  of  10  and  /I  are  disjoint. 

We  define  (i:  x)  to  be  function  (i  x)  which  is  the  function  whose  domain  is  the  element  i  and  whose 
range  is  the  element  x.  Therefore,  we  have  the  property  that  (i:  x).i  =  x  which  is  a  consequence  of  function 
application.  Notice  that  with  this  meaning,  the  restriction  on  U  follows  from  the  fact  that  a  function  cannot 
be  one-to-many. 

Since  [J  is  simply  a  quantifier,  we  can  use  the  following  properties  which  follow  from  the  general  prop¬ 
erties  of  quantification.  However,  we  must  be  careful  since  U  imposes  certain  restrictions  on  its  arguments. 

We  present  some  of  the  axioms  from  [6] .  These  axioms  are  simply  instances  of  a  few  of  the  axioms  for 
general  quantifiers. 

The  following  two  axioms  can  be  used  to  eliminate  quantification  from  an  expression. 

Axiom  ( Empty  Range ) 

{[J  i  I  false  I >  f.i:  t.i)  =  0 

Axiom  (One-point  rule) 

{[J  i  I  [*  =  E ]  >  f.i\t.i)  = 

For  more  general  ranges,  the  following  axiom  can  be  used. 

Axiom  (Range  split) 

For  mutually  exclusive  r  and  s, 

{[J  i  I  r.i  V  s.i  I >  =  {[J  i  I  r.i  >  f.i:  t.i )  U  ([ |  *  I  s.i  t>  f  .i:  t.i) 

The  following  axiom  can  be  used  to  rewrite  the  term. 

Axiom  ( Transform  term) 

If,  for  all  i,  r.i  =>•  ( t.i  =  z.i)  A  (f  .i  =  g.i),  then 
{[J  i  I  r.i  t>  f  .i:  t.i)  =  {[J  i  I  r.i  o  g.i:  z.i)  (3) 

Given  a  tagged  collection,  it  is  important  to  be  able  to  determine  the  value  associated  with  a  particular  tag 
in  the  collection.  We  propose  the  following  axiom  for  tagged  collections. 

Axiom  ( Projection ) 

For  injective  /, 

(U  i  I  r.i  t>  f.i:  t.i).k  —  (|J  i  I  r.i  A  [f.i  =  k]  o  f.i:  t.i).k  (4) 

We  now  prove, 

Theorem  ( Projection ) 

If  r  and  s  are  mutually  exclusive  and  r.k  holds, 

( (| _ |  *  I  r.i  >  i:t.i)  U  (| _ |  *  I  s.i  >  i:z.i)).k  =  t.k  (5) 

Proof.  For  this  proof,  we  define  function  h.i  in  the  following  manner: 
t.i  if  r.i 
z.i  if  s.i 

Now, 

((U  i  I  r.i  >  i:t.i)  U  (|J  i  I  s.i  t>  i:z.i)).k 
=  {  (3):  transform  term;  twice  } 

({[J  i  I  r.i  >  i:  h.i)  U  {j _ |  *  I  s.i  i>  i:  h.i)).k 


(2) 


f.E:t.E ) 


(0) 

(1) 
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=  {  (2):  range  split;  r,s  are  mutually  exclusive  } 

{[J  i  I  r.i  V  s.i  t>  i:  h.i).k 
=  {  (4):  projection  } 

{[J  i  I  ( r.i  V  s.i)  A  [i  =  k]  t>  i:  h.i).k 
=  {  r.k;  ( 3):  transform  term  } 

{[J  i  I  [i  =  k\  >  i:  t.i) .k 

=  {  (1):  one-point  rule  } 

( k :  t.k).k 

=  {  definition  } 

t.k 

□ 

Using  these  theorems  and  axioms,  we  can  manipulate  arbitrary  tagged  collections.  For  example,  the 
tagged  collection  a  =  {[J  i  I  0  <  i  A  i  <  n  t>  i:  i2)  can  be  considered  to  be  an  array  of  size  n  that  contains 
the  squares  of  the  first  n  non-negative  integers,  a.k  would  be  the  fcth  element  of  the  array  (for  0  <  k  <  n), 
since: 

(U  *  I  -0  <  i  A  i  <  n  >  i:  i2).k 
=  {  (4):  projection  axiom  } 

(U  !  I  0  <  i  A  i  <  n  A  [i  =  k]  i >  i:  i2).k 
=  {  0  <  k  A  k  <  n  } 

(|J  i  |  [ i  =  £]  [>  i :  i2).k 
=  {  (1):  one-point  rule  } 

( k :  k2).k 

=  {  definition  } 

it 2 

□ 

We  use  Tag.D  to  denote  the  type  of  a  tagged  collection  of  elements  from  D  with  a  fixed  index  set  U . 
Notice  that  given  a  fixed  index  set  U,  the  tagged  collections  in  Tag.D  can  be  viewed  as  total  functions  from 
14  — D .  For  a  partial  function  p  with  range  R  C  U ,  we  have  that 

P  =  (U  *  I  *  G  R  >  i'.p.i) 

1.1.  FUNCTIONS  AND  COMPOSITION 

Functions  of  type  Tag.D  — ?  D  for  any  domain  D  can  be  composed  in  different  ways.  We  use  /,  g ,  and 
h  to  denote  such  functions.  We  use  L  to  denote  a  tagged  collection.  Note  that  L  =  ([J  i  >  i:  L.i). 

We  generalize  the  notion  of  function  composition  as  follows.  For  any  predicate  p  on  U,  we  define  op 
pronounced  “compose  pv  as: 

(/  op  g).L  =  /.( (U  i  I  p.i  >  r.  g.L)  U  {[J  i  I  — .p.*  >  i:  La))  (6) 

In  words,  (/  op  g)  applied  to  a  tagged  collection  L  replaces  L.k  by  g.L,  for  all  k  that  satisfy  p. 

Theorem  ( Associativity ) 

If  [q  =>  p],  then  (/  op  g)  oq  h  =  /  op  (g  oq  h)  ,  i.e.  op  and  oq  are  mutually  associative  if  [q  =>  p]-(7) 
Proof. 

((/  °P  9)  °q  h).L 
=  {  (6):  def.  of  oq  } 

(/  °p  ff).«U  *  I  9-®  >  h.L)  U  (U  «  I  _,9-«  >  i'-  L.i)) 

=  {  (6):  def.  of  op  } 
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/.( (1 |  i  ]  p.i  t>  i:  <?.({[_]  *  I  9-®"  >  ®:  A.£)  U  (|_|  *  I  -ig.i  >  *:  LA)))  U 

(U  *  I  T-®  >  L.  ((LI  i  I  q.i  >  i:  h.L)  U  (|J  i  I  -i q.i  >  i:  L.i)) .i)) 

=  {  (5):  projection,  since  -> pA  =>  -ig.i  } 

/•((U  ®  I  P-®  >  ®:  <?.({□  *  I  9-*  >  ®:  A.Z)  U  (|J  i  I  -ig.i  >  i:  LA)))  U 

(U  ®"  I  T-®  >  * :  £.*)) 

=  {  (6):  def.  of  o?  } 

/•((U  *  I  P-*  >  *:(<?  °4  A).i)  U  (| _ |  *  I  — ip . *  >  i:  LA)) 

=  {  (6):  def.  of  op  } 

(/  °P  (g  °q  h)).L 

□ 

Theorem  ( Associativity ) 

op  is  associative.  (8) 

Proof.  Follows  from  (7)  and  [p  =>  p\. 

□ 

A  function  of  special  interest  is  the  projection  function,  defined  as 

r  k.L  =  L.k  (9) 

and  pronounced  as  “project  A”.  This  function  can  be  used  to  extract  a  value  associated  with  a  particular 
tag  from  a  tagged  collection. 

Theorem  ( Left  identity ) 

fj.  is  left  identity  of  op,  for  all  k  satisfying  p.  (10) 

Proof. 

a*  o  pf).L 

=  {  (6):  def.  of  op  } 

r*-({|J  1  I  PA  >  i:f-L )  u  (U  i  1  ^PA  >  i-.LA)) 

=  {  (9):  def.  of  [,  } 

((U  i  I  pA  t>  i:f.L)  U  (|J  i  I  -i pA  >  i:LA)).k 
=  {  (5):  projection,  since  p.k  } 

f-L 

□ 

It  follows  that  Op  has  no  right  identity  if  p  is  satisfied  by  more  than  one  k  since  the  projection  functions  are 
distinct. 

Theorem  ( Left  zero) 

fj.  is  left  zero  of  op,  for  all  k  satisfying  -i p.  (11) 

Proof. 

(r  koPf).L 

=  {  (6):  def.  of  op  } 

M<U  1  1  P-1  >  i:f-L )  u(U!  !  >  r.LA}) 

=  {  (9):  def.  of  fj.  } 

((fj  i  I  P-i  >  i'.f.L)  U  (1J  *  I  -i p.i  >  i:L.i)).k 
=  {  (5):  projection,  since  -> p.k  } 

L.k 

=  {  (9):  def.  of  fj.  } 

\k-L 
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□ 

It  follows  that  op  has  no  right  zero  if  -i p  holds  for  more  than  one  k  since  the  projection  functions  are  distinct. 

Theorem 

(/  °p  ft)  °q  9  =  f  °pvq  9,  for  all  k  satisfying  q.  (12) 

Proof. 

((/  °p  ft)  °q  g)-L 

=  {  (6):  def.  of  oq  } 

(/  °p  r*)-«U  1  1  >  ®" •  9-L)  U  {U  i  I  -'«•*  >  i'-L.i)) 

=  {  (6):  def.  of  op  } 

/•(( U  1  I  PA  >  i:  ff((U  1  I  9A  >  Xff-X)  U  <U  «  I  >  i'-L.i})}  U 
(U  i  I  -ip.i  >  i:  ((|J  i  I  §.i  >  i:  g.L)  U  ([J  i  I  -<q.i  >  i:  L.i)).i)) 

=  {  (6):  def.  of  oq  } 

/.((□  i  I  p.i  t>  i:( ^  oq  g).I }  U 

(U  z  I  -1P-*  >  i:({[J  *  I  >  i'.g.L )  U  (|_|  i  I  ~<q.i  >  i:L.i)).i)) 

=  {  (10):  left  identity,  since  } 

/.((U  i  I  p.«  c>  *:  ff.I)  U 

(U  *  I  p.i  t>  i':({[J  i  I  q.i  >  i'.g.L )  U  (| _ |  z  I  -i q.i  >  i:L. i)):.i}) 

=  {  (2):  range  split  } 

/.({[J  i  I  t>  i:  (/./.)  U 

(U  *  I  T-*  A  q.i  t>  i":  ( (| |  «  I  q.i  >  i:  g.L )  U  (| |  *  I  -> q.i  >  i:  L.i)).i)  U 

(U  z  I  ~>p.i  A  -15. i  >  t:  ({U  i  I  ?.i  >  i'.  g.L)  LI  (| |  z  I  -1  q.i  t>  i:  L.i)).i}) 

=  {  (5):  projection,  twice  } 

/•((U  *  I  p.i  >  i-  g  L)  U  (|J  i  I  “ip.i  A  <pi  t>  i'.  g.L}  U 
(U  *  I  _,P-2  A  -13. i  >  i:  i.i}) 

=  {  (2):  range  split  } 

/.( (| _ |  i  I  p.iV  (~>p.i  A  q.i)  >  i:  g.L)  U 

(U  *  I  T-*  A  ~<q.i  >  i:  L.i )  ) 

=  {  pred.  calc.  } 

/.(<u  *  1  (p  V  q).i  t>  i:g.L}  U 
(U  z  I  “'(P  V  s).i  >  i":  X.i)) 

=  {  (6):  def.  of  opVq  } 

(/  °Pv9  ff)-X 

□ 


1.1.0.  POINT  PREDICATES 

Let  [X]  be  the  predicate  that  is  true  only  at  x  —  k,  i.e.  [A’J.x  =  [x  =  k],  [X]  is  a  point  predicate  since  it 
is  true  at  exactly  one  point  in  U . 

Theorem 

f  °P  \k  —  f  °pV[t]  ft 
f  °P  \k~f  6j>A-.[t]  ft 

Proof.  Note  that  the  two  lines  given  above  express  the  same  property.  We  prove  the  former. 

U'  °|  V[tj  f k)-L 

=  {  (6):  def.  of  opV[q,'  (9):  def.  of  \k  } 


(13) 
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/.( (1 _ |  i  ]  p.i  V  [A].*  >  i'.  L.k)  U  (U  i  I  -ip.i  A  t>  i:  L.i)) 

=  {  (2):  range  split;  pred.  calc.  } 

/.((LI  i  I  p.i  A  >  i:  L.k)  U  (|J  i  I  -i p.i  A  -|[A’].2 1>  i:  L.i)  U  (|J  i  I  [A:].*  i>  i:  L.k)) 

=  {  (2):  range  split;  (3):  transform  term;  pred.  calc.  } 

/.( (1 |  i  I  p.i  A  -ip:].*  t>  i:  L.k)  U  (|_|  i  I  ~>p.i  A  -i[A:].*  >  *:  L.i)  U 

(U  *  I  [A].*  A  p.i  t>  i:  L.k)  U  (|J  i  I  [£].«  A  -> p.i  t>  i:  L.i)) 

=  {  pred.  calc.  } 

/•((U  *  I  >  i:  L.k)  U  (|_|  i  I  -ip.i  t>  i:L.i)) 

=  {  (6):  def.  of  o;  :  (9):  def.  of  } 

(/  o,  r*)-i 

We  now  have. 

Theorem 

/  °false  9  —  f 

Proof. 

(/  Gfalse  (l  )  -  L 

=  {  (6):  def.  of  ofalse  } 

/•((U  i  I  false. i  >  i:  g.L)  U  {| _ |  *  I  -ifalse.i  o  i:  L.i)) 

=  {  (0):  empty  range  } 

/.(0  U  <U  *  >  i:  L.i)) 

=  {  0  is  the  identity  of  U  } 

f-L 

□ 

We  mentioned  earlier  that  op  had  no  right  identity  if  p  holds  for  more  than  one  point.  However,  when 
p  is  a  point  predicate,  we  have  that 

Theorem  (Right  identity) 

["jj.  is  the  right  identity  of  opj.  (15) 

Proof. 

/  °m  r  k 

=  {  (13),  since  false  V  [A’J  =  [A’J  } 

/  ° false  fjfc 

=  {  (14)  } 

/ 

We  introduce  some  special  notation,  [  J  * ,  defined  as  follows 

[f\k  —  /  °true  \ k 

Theorem 

(17) 

Proof. 

/  °-.[*]  r* 

=  {  (13)  } 

/  °-.[*]v[*]  \k 
=  {  pred.  calc.  } 


□ 

(16) 


□ 

(14) 
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f  °true  \ k 

=  {  (16):  def.  of  |_  J  k  } 

[f\k 

□ 

Theorem 

[\k\s  =  h  (18) 

Proof. 

L  r  *  j  j 

=  {  (16):  def.  of  [_  \q  } 

( i:  °true  f  y 

=  {  (10):  left  identity,  since  true.k,  for  any  k  } 

□ 

Theorem 

For  any/,  Ll/JtJi  =  l/Jj  (19) 

Proof. 

LL/JaJ, 

=  {  (16):  def.  of  L  Jj  } 

[/ J  k  °true  f  y 

=  {  (16):  def.  of  [_  J  * ;  (8) :  associativity  } 

f  ®true  \ k  Ofrue  [j 

=  {  (10):  left  identity,  since  true.k,  for  any  k  } 

f  ° true  [j 

=  {  (16):  def.  of  [  Jj  } 

[f\j 


□ 

Theorem 

J  k  is  idempotent 

(20) 

Proof.  Follows  from  (19). 

□ 

Theorem 

[/  °true  9\k  —  \_f  J  k  °true  \_9  \  k 

(21) 

Proof. 

[/  °true  9 J  k 

=  {  (16):  def.  of  [  (8):  associativity  } 

/  °true  9  ° true 

=  {  (10):  left  identity,  since  true.k  for  any  k  } 

/  °true  \ k  °true  9  °true  \  k 

=  {  (16):  def.  of  [  J*,  twice;  (8):  associativity  } 

\_f\k  °true  (l/J  /, 

□ 

With  these  operators,  we  cannot  define  (/  opAq  g )  using  op  and  oq.  However,  if  we  had  a  way  to  define 
o _,p  in  terms  of  o;i .  then  we  could  obtain  p  A  q  from  pV  q.  We  do  not  know  how  to  do  this,  but  instead 
introduce  a  new  operator  *p,  defined  by 
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*  p  —  °-i  p  -  (22) 

Theorem  ( dual  of  (12)) 

(f  •?-  \k)  *q  9  =  f  *p/\q  g,  for  all  k  satisfying  ~^q.  (23) 

Proof. 

(/  »P  *4  g 

=  {  (22):  def.  of  •,  twice  } 

(/  °-P  \k) 0-1 4  g 

=  {  (12),  with  p,  q  :=  -ip,  -15,  since  -15. £  } 

/  °-rpv-iq  g 

=  {  De  Morgan  } 

/  °-.(pA4)  <7 

=  {  (22):  def.  of.pA4  } 

f  *pAq  g 

□ 

We  have  additional  properties  of  which  follow  from  those  of  o.p  . 

Theorem  (Left  zero) 


\k  is  left  zero  of  «p  for  all  k  satisfying  p.  (24) 

Proof.  Follows  from  (11),  (22).  □ 

Theorem  (Left  identity) 

f  k  is  left  identity  of  »p  for  all  k  satisfying  -1  p .  ( 25) 

Proof.  Follows  from  (10),  (22).  □ 

Theorem  (Right  identity ) 

1"^.  is  the  right  identity  of  •-,[*]  (26) 

Proof.  Follows  from  (15),  (22).  □ 

Theorem 

f  *p  \k  =f  *pV[i:]  P A:  ,.2'J) 

f  *P  \k=f  fjt 

Proof.  Follow  from  (13),  (22).  □ 

Since  fj.  is  the  right  identity  of  ojj,] ,  we  examine  the  effect  of  f^.. 

Theorem 

/  •[*]  r*  =/  0 tries.  \k  (28) 

Proof.  Follows  from  (16),  (17),  (22).  □ 

We  explore  additional  properties  of  op  for  monotonic  functions.  We  assume  that  there  exists  some 
partial  ordering  C  defined  on  the  elements  of  D.  We  extend  this  order  to  Tag.D  by  the  following  definition: 
([J  i  I  p.i  o  f  .i:  t.i )  C  (|J  i  \  p .i  o  f  .i:  u.i)  =  (V  *  I  P-i  >  i-i  C  u.i )  for  injective  /.  (29) 


This  ordering  is  monotonic  in  each  member  of  Tag.D.  Note  that  this  order  is  defined  only  if  /  is  injective. 
We  now  have  the  following  theorems: 

Theorem  (Monotonicity) 

f  op  g  is  monotonic  in  /.  (30) 

Proof. 

(/  °P  g)-L  E  (/'  op  g).L 
=  {  (6):  def.  of  op ,  twice  } 

/•({(J  *  I  P-i  >  i-  g-L)  U  (j |  i  I  -1  p.i  t>  i:  L.i ))  C  /,.((L|  i  I  p.i  >  i'.  g.L )  U  (| |  *  I  -1  p.i  t>  i:  L.i )) 


<=  {  } 
/  E  /' 
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□ 

Theorem  ( Monotonicity ) 

f  op  g  is  monotonic  in  g,  for  monotonic  /. 

Proof. 

(/  °P  9)-L  C  (/  op  ffO-i 

=  {  (6):  def.  of  op,  twice  } 

/•((U  *  I  P-i  >  <?-i)  U  <□  i  I  -i p.i  t>  i:  L.i))  C  /.({|J  *  I  P-i  >  *:  i/hi)  U  (|_|  i  I  — . *  >  i:  L.i)) 

■<=  {  /  is  monotonic  } 

((U  *  I  P-*  >  *:  <?-P)  U  (|J  i  I  -ip.i  t>  i:  L.i))  C  (([J  i  I  p.i  t>  i:  £//.X)  U  (| _ |  *  I  -> p.i  >  i:  L.i )) 

=  {  (29):  C  on  Tag.D  } 

{[J  i  I  p.i  i>  i:  g.L)  C  (|J  i  I  p.i  >  i:  i/'.i} 

=  {  (29):  C  on  Tag.D  } 

(V  i  I  p.i  >  g.L  C  (?/.i) 

<=  {  calculus  } 

p.i  C  g'.L 

<=  {  } 

g  Q  g' 

□ 


1.2.  EXTENSION  TO  OTHER  OPERATORS 

So  far  we  have  examined  the  effect  of  extending  o  to  of.  We  now  demonstrate  that  we  can  define  op 
in  terms  of  o,  given  an  additional  operator.  This  operator  can  then  be  used  to  extend  other  operators  to 
tagged  collections. 

To  be  able  to  define  op  in  terms  of  o,  notice  that  the  op  operator  performs  a  selective  substitution. 
Motivated  by  this,  we  define  «p d  — a  conditional  replace  operator —  and  its  dual  ap»  as  follows: 

([J  i  t>  i:  s.i)  *p d  ([J  i  t>  i:  t .i)  =  (|_|  i  I  — >p . i  >  i:  $.i)  U  (|_|  i  I  p.i  >  i:  f.i)  (31) 

{[J  i  >  i:  s.i)  apt  ([J  i  >  i:  t.i)  —  (|J  i  I  p.i  t>  i:  s.i)  U  (| |  i  I  — >p . i  >  i:  f.i)  (32) 

We  can  define  op  in  terms  of  o  using  the  *p d  operator.  To  do  so,  we  define  C-.u  to  be  the  tagged 

collection  ([J  i  >  i:  a).  We  now  have: 

(f  Op  g).L  =  f  o  (L  tpc  C.(g.L))  (33) 

(f  tp  g).L  =  f  °  (L  apt  C..(g.L))  (34) 

Using  this  definition  of  *pc ,  we  can  extend  an  arbitrary  binary  operator  op  having  a  unit  element  u.  Let 
op  denote  the  pointwise  extension  of  op  to  total  functions  from  U  — ►  D .  We  can  write  these  total  functions 
as  tagged  collections.  We  can  define  opp  as  follows: 

A"  opp  Y  =  X  op  (  Y  «po  C.u)  (35) 

Notice  that  with  op  replaced  by  o,  this  definition  differs  from  the  one  used  for  conditional  composition.  We 
will  see  opp  again  in  section  4. 

2.  APPLICATION  AREA:  PROGRAM  SEMANTICS 

We  describe  a  program  semantics  with  an  additional  conditional  composition  operator  <p,  where  p  is  a 
predicate  on  U .  Imposing  a  structure  on  the  predicates  used  for  the  weakest  precondition  semantics  allows 
us  to  identify  the  composition  operators  presented  earlier  with  the  composition  of  statements.  We  follow  the 
path  of  [7],  [8],  [9]  and  [11]  which  first  describe  an  operational  semantics  in  terms  of  traces  and  then  derive 
a  weakest  precondition  semantics  from  it. 
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2.0.  TRACE  SEMANTICS 

We  will  use  the  semantics  of  statements  presented  in  [8],  [11],  [5].  We  use  X  to  denote  the  (non¬ 
empty)  state  space.  Variables  that  refer  to  the  state  are  implicitly  assumed  to  be  from  X .  Traces  are 
nonempty  sequences  of  states,  fin.t  is  true  just  when  t  is  a  trace  of  finite  length,  inf  A  is  the  negation  of 
fin.t.  Concatenation  of  traces  is  denoted  by  juxtaposition.  Using  these  notational  conventions,  we  have  the 
following  trace  semantics  for  skip  and  assignment. 

skip  =  {i>i]  (36) 

(v  :=  E)  =  {x  >  x  x[v  :=  /'.  }  (37) 

For  sequential  composition,  we  have  [8],  [11] 

S;  T  =  {s,  x,t  I  sx  6  S  A  xt  £  T  A  fin.s  >  sxt}  U  {s  I  s  (E  S  A  inf  .s  t>  s}  (38) 

We  assume  that  there  exists  a  total  function  idx:X  — *  U.  This  function  defines  a  partition  on  X.  We 
introduce  a  conditional  composition  operator  (pronounce  “try”,  as  in  triangle)  — where  p  is  a  predicate 
on  U —  that  has  the  following  operational  meaning.  We  write  S  <p  T  for  the  statement  whose  execution 
consists  of:  executing  S;  if  execution  thereof  terminates  in  a  state  x  satisfying  (p  o  idx),  then  executing  T 
as  well;  if  S  does  not  terminate,  or  S  terminates  in  a  state  x  satisfying  -i (p  o  idx),  then  not  executing  T. 
The  trace  semantics  can  be  described  by 

S  <p  T  —  {s,  x,t  I  sx  £  S  A  xt  £  T  A  fin.s  A  (p  o  idx). x  t>  sxt }  U 

{ s  I  s  G  S  A  ( inf  .s  V  ~>(p  o  idx). (last. s))  t>  s}  (39) 


Analogous  to  «p,  we  define  <P  to  be  <N„, 

Theorem 

I  =  ^ true  (40) 

Proof.  Follows  from  the  definition  of  <true.  □ 

Theorem  (Identity  of ;) 

skip  is  the  left  and  right  identity  of  ;  (41) 

Proof.  Can  be  taken  without  modification  from  [8], [11].  □ 

The  following  are  some  theorems  about  semicolon. 

Theorem  (From  [5],  [8],  [11].) 

;  is  associative.  (42) 

;  is  universally  U-distributive  in  its  left  argument.  (43) 

;  is  positively  U-distributive  in  its  right  argument.  (44) 


We  can  use  the  definition  of  repetition  and  selection  from  [5],  [8],  or  [11]  without  modification  since  the 
trace  semantics  for  semicolon  has  not  been  changed.  We  use  the  definition  of  the  IF  statement  given  in  [5] . 
Since  we  have  defined  all  our  earlier  semantics  in  terms  of  trace  sets,  we  rewrite  the  definition  presented  in 
[5]  in  the  following  manner.  For  any  predicate  b,  we  define  6?  as  follows: 

6?  =  {x  I  x  £  X  A  b.x  >  x}  (45) 

Using  this  definition  of  6?,  we  define  the  IF  statement  from  [5]  as: 

if { D  i  >  bt  —>  Si) fi  =  (U  i  >  b.,1;  S,)  U  (V  i  >  E  (46) 

where  E  is  defined  as  the  set  of  all  eternal  traces.  If  we  know  that  (3  i  >  bf)  holds,  then  we  can  simplify 

(46)  to: 

if  (I  i>bi-*  St)  fi  =  {U  i  >  bil;  St)  (47) 

Using  these  trace  semantics,  we  have  the  following  theorem: 

Theorem  (Conditional  Composition ) 

S  <p  T  =  S;  if  (p  o  idx )  T|-i(p  o  idx)  —*  skip  fi 

Proof.  For  this  proof,  we  use  IF  =  if  (p  o  idx)  — >  T|-i(p  o  idx)  — »  skip  fi 

S;  IF 


(48) 


RVM7b  -10 


=  {  (38):  def.  of  ;  } 

{s,  x,  t  I  sx  E  S  A  xi  E  IF  A  fin.s  t>  sxt}  U  {s  I  s  E  S  A  inf  .s  t>  s} 

=  {  (46):  def.  of  IF;  (47)  } 

{s,  x,t  I  sx£5Ari£((yo  idx)7;  T )  U  (-i(p  o  idx)l ;  skip )  A  fin.s  t>  sxt}  U 
{s  I  »  E  5  A  inf  .s  t>  s} 

=  {  range  split  } 

{s,  x,  i  I  sx  E  S  A  xt  E  ((p  o  2<ix)? ;  T)  A  fin.s  o  sxt}  U 

{s,  x,  t  I  sx  E  5  A  xt  E  ( — '(/>  o  irfx)?;  s&ip)  A  fin.s  t>  sxt}  U  {s  I  s  E  S  A  inf  .s  t>  s} 

=  {  (45):  def.  of  6?  twice  } 

{s,  x,  t  I  sx  E  S  A  xt  E  T  A  fin.s  A  (p  o  idx).x  o  sxt}  U 

{s,  x,  t  I  sx  E  S  A  xt  E  skip  A  fin.s  A  ~>(p  o  idx).x  >  sxt}  U  {s  I  s  6  S  A  inf  .s  t>  s} 

=  {  (36):  def.  of  skip;  sx  :=  s  } 

{s,  x,  t  I  sx  E  S  A  xt  E  T  A  fin.s  A  (p  o  idx).x  t>  sxt}  U 

{s  I  s  E  5  A  fin.s  A  ~>(p  o  idx).(last.s)  >  s}  U  {s  I  s  E  S  A  inf  .s  t>  s} 

=  {  range  split  } 

{s,  x,  t  I  sx  E  S  A  xt  E  T  A  fin.s  A  (p  o  idx).x  t>  sxt}  U 
{s  I  s  6  SA  (inf  ..s  V  (fin.s  A  ~>(p  o  idx).(la.st.s )))  >  s} 

=  {  absorption,  since  fin.s  A  inf  .s  =  false  } 

{s,  x,  t  I  sx  E  S  A  xt  E  T  A  fin.s  A  (p  o  idx).x  t>  sxt}  U 
{s  I  s  E  S  A  ( inf  .s  V  ~>(p  o  idx).(last.s))  >  s} 

=  {  (39):  def.  of  } 

S  <p  T 

□ 

This  theorem  demonstrates  how  the  semantics  of  the  IF  statement  can  be  used  to  describe  conditional 


composition. 

Theorem 

<P  is  associative  (49) 

Proof.  Follows  from  (48)  and  (42),  (44),  (46).  □ 

Theorem 

Op  is  universally  U-distributive  in  its  left  argument.  (50) 

Proof.  Follows  from  (48)  and  (43),  (46).  □ 

Theorem 

<p  is  positively  U-distributive  in  its  right  argument. 

Proof.  Follows  from  (48)  and  (42),  (44),  (46).  □ 


2.1.  WEAKEST  PRECONDITIONS 

We  define  function  wp.S.Q  to  be  the  weakest  condition  on  the  initial  state  such  that:  execution  of  S 
terminates;  on  termination  Q  holds  [4].  We  examine  the  weakest  precondition  semantics  for  conditional 
composition.  We  use  the  usual  wp  semantics  from  [4]  using  the  definition  of  wp  presented  in  [8],  [11]  in  terms 
of  traces. 

wp.S.Q.x  =  (V  t  I  first.t  =  x  A  t  E  S  t>  fin.t  A  Q.(last.t)}  (51) 

We  confine  our  attention  to  predicates  Q  that  are  partitioned  predicates.  Let  l  =  (|J  i  I  i  E  U  t>  i.t.i } 
be  a  tagged  collection  of  predicates.  We  associate  partition  i  with  predicate  t.i.  We  define  the  partitioned 
predicate  T  represented  in  terms  of  t  to  be 
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[T  =  {V  i  >  ([*]  o  idx )  =>•  t.i}]  (52) 

From  now  on,  we  use  tagged  collections  and  predicates  interchangeably.  Using  this  definition  of  a 
predicate,  we  can  explore  properties  of  the  wp  and  <lp.  We  first  examine  some  additional  properties  that 
relate  «pD,  C,  and  partitioned  predicates. 

Theorem 

For  a  partitioned  predicate  Q, 

[Q  =  C.Q  (53) 

Proof. 

C.Q 

=  {  def.  of  C.  } 

(U  i  >  i:  Q) 

=  {  (52)  } 

(V  i  >  ( D1  o  idx)  =>  Q) 

=  {  (52)  } 

(V  i  >  ([*]  o  idx)  =>■  {V  j  >  ([?']  o  idx)  =>  Q.j)) 

=  {  over  V  } 

(V  i  >  (V  J  >  ([«]  o  idx)  =>  (([j]  o  «dx)  =>  Q.j))) 

=  {  interchange  of  dummies  } 

(V  j  c>  {V  t  >([«]  o  idx)  =>  (([j]  o  idx)  ^  Q.j))) 

=  {  pred.  calc.  } 

(V  j  >  (3  i  >  [«]  o  idx)  =>  ((DJ  o  idx)  =>  Q.j)) 

=  {  idx  is  total  } 

(V  j  c>  ([j]  o  idx)  =>  Q.j) 

=  {  (52)  } 

Q 

□ 

From  (53),  we  can  see  that  the  set  of  partitioned  predicates  is  the  same  as  the  set  of  ordinary  predicates. 
Therefore,  a  partitioned  predicate  is  simply  a  predicate  that  has  some  structure. 

Theorem 

[(p  o  idx)  =  (3  *  I  p.i  >  [«]  o  idx)]  (54) 

Proof. 

(3  i  I  p.i  >  ([*]  o  idx).x) 

=  {  trading  } 

(3  i  I  ([«]  o  idx).x  t>  p.i) 

=  {  def.  of  [i]  } 

(3  i  I  [idx.x  =  i]  t>  p.i) 

=  {  one-point  rule  } 

p.(  idx .x) 

=  {  def.  of  o  } 

(p  o  idx).x 

□ 

We  now  examine  the  effect  of  *p d  on  partitioned  predicates. 

Theorem 

[( Q  *PD  R)  =  (“’(p  o  idx)  =>  Q)  A  ((p  o  idx)  =>  i?,)] 


(55) 


RVM7b  -12 


Proof. 

(-i (p  o  idx)  =>  Q)  A  ((p  o  idx)  =>•  R) 

=  {  (54)  twice  } 

({3*1  -'p.i  >  [*]  o  idx )  =>  Q)  A  ({3  *  I  p.i  >  [*]  o  idx }  =>  R ) 

=  {  pred.  calc.  } 

(V  i  I  -'P-i  >  ([*']  o  idx )  =>■  Q)  A  (V  *  I  p.i  >  ([*]  o  idx)  =>  R) 

=  {  (31):  def.  of  «/jd ;  (52)  } 

(|J  *  t>  *:  Q)  {[J  *  t>  *:  R) 

=  {  def.  of  C.  twice  } 

C.Q  *p d  C.R 
=  {  (53)  twice  } 

Q  *p d  R 

□ 

We  now  examine  some  properties  of  wp.  Since  the  traces  of  semicolon,  skip,  and  assignment  are  the 


same  as  those  in  [8]  and  [11],  all  their  results  still  hold.  In  particular,  we  have 
Theorem  (From  [8],  [11].) 

[wp  .skip  .Q  =  Q]  (56) 

[wp.{v  :=  E).Q  =  Q[v  :=  B))  (57) 

[wp.[S;  T).Q  =  wp.S.(wp.T.Q)\  (58) 

We  now  examine  the  weakest  precondition  semantics  for  conditional  composition. 

Theorem 

[wp.(S  T).Q  =  wp.S.(Q  *po  wp.T ,Q)\  (59) 


Proof. 

wp.(S  <p  T).Q 
=  {  (48):  as  IF  } 

wp.(S;  if  (p  o  idx )  — *  T|-i(p  o  idx)  —>■  skip  fi ).Q 
=  {  (58):  wp  of  ;  } 

wp .S .(wp .if  (p  o  idx)  T|-i(p  o  idx)  — »  skip  fi  . Q ) 

=  {  wp  of  IF  (from  [4],  [8],  [11])  } 

wp.S  .(((p  o  idx)  V  -i  (p  o  idx))  A  ((p  o  idx)  =>  wp.T  .Q)  A  (-i  (p  o  idx)  =>  wp  .skip  .Q)) 

=  {  [X  V  .Y];  (56)  [ 

wp.S .(((p  o  idx)  =>  wp.T .Q)  A  (-'(p  o  idx)  =>  Q)) 

=  {  (55)  } 

wp.S.(Q  *pv  wp.T.Q) 

□ 

We  now  relate  to  the  composition  operator  op. 

Theorem 

[wp.(S  <p  T)  =  wp.S  op  wp.T]  (60) 

Proof. 

wp.(S  <p  T).Q 
=  {  (59):  wp  of  <p  } 

wp.S.(Q  *p d  wp.T.Q) 

=  {  (53)  } 


wp.S.(Q  *pt>  C.(wp.T.Q)) 

{  (33):  def.  of  op  using  *po  } 
( wp.S  op  wp.T).Q 
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We  conclude  this  section  by  identifying  a  program  with  its  weakest  precondition.  We  have  the  following 
correspondences: 

skip  =  id 

S  <p  T  =  S  Op  T,  or 


3.  APPLICATION  AREA:  PROGRAMMING  LANGUAGES 

The  <1  p  operator  presented  above  can  be  used  in  various  ways.  In  this  section,  we  suggest  a  disciplined 
approach  to  the  introduction  of  such  an  operator  into  a  programming  language. 

We  then  demonstrate  how  one  can  use  this  operator  to  describe  the  semantics  of  exceptions  [7],  loop 
exits,  and  structured  jumps  [1], 

3.0.  SEMANTICS  OF  PARTITIONS 

We  describe  how  the  semantics  of  conditional  composition  can  be  used  to  describe  the  semantics  of  a 
program  given  a  partition  of  the  state  space.  We  identify  an  element  of  the  partition  with  an  element  from 
the  index  set  U . 

Restriction.  Each  element  of  the  partition  of  the  state  space  has  the  same  cardinality.  Fur¬ 
thermore,  there  exists  a  well-defined  mapping  from  one  element  of  the  partition  to  another. 

( End  of  Restriction.) 

3.0.0.  PARTITIONS 

We  assume  that  there  exist  functions  |_  Ja  for  k  E  U,  which  map  states  to  states.  These  functions  are 
assumed  to  satisfy  the  following  two  properties: 

(V  x,kt>  idx\x J *  =  k)  (61) 

(v^(v  k,j  t>  LbJfcJj  =  k.  .,■)'?  (62) 

Properties  (61)  and  (62)  guarantee  that  the  partitions  are  of  equal  size,  [ijoidx  can  be  used  to  determine 
if  the  current  state  belongs  to  element  i  from  the  partition.  The  restriction  given  above  implies  that  there 
exist  functions  [_  J  satisfying  (61)  and  (62). 

3.0.1.  PROGRAM  STATEMENTS 

Notice  that  the  functions  M  *  define  a  method  by  which  one  can  switch  from  one  element  of  the 
partition  to  another.  To  enable  us  to  do  this  in  the  framework  of  a  programming  language,  we  introduce  a 
new  statement  switch a,  defined  by 

switch h  =  {x  >  x  [xJa}  (63) 

Restriction.  For  a  programming  language  implementing  such  a  semantics,  switch  is  the  only 
statement  by  which  a  transition  can  be  made  from  one  element  of  the  partition  to  another. 

( End  of  Restriction.) 

Theorem  ( Left  zero) 

switch a  is  the  left  zero  of  <p,  for  all  k  satisfying  -i p.  (64) 

Proof. 


switch  a  <lp  T 
=  {  (39):  def.  of  <p  } 
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{s,  x,t  I  sx  £  switch k  A  xt  £E  T  Afin.s  A  ( p  o  idx).x  >  sxf}  U 
{s  I  s  £  switch k  A  (inf  .s  V  -i(p  o  idx).(last.s))  >  s} 

=  {  (63):  def.  of  switch,  since  -i p.k  } 

{s  I  s  £  switch h  >  s) 

=  {  def.  of  set  } 

switch  ic 

□ 

Theorem 

wp  .switch  h.Q  .x  —  Q.[x\k-  (65) 

Proof. 

wp. switch);.  Q.x 
=  {  (51):  def.  of  wp  } 

(V  t  I  first.t  =  xA(£  switchk  >  fin.t.  A  Q.(last.t)) 

=  {  (63):  def.  of  switchk  } 

{V  t  I  f  =  x  >  Q.[t\k ) 

=  {  one-point  rule  } 

Q-[x\k 

□ 

Restriction.  Earlier,  we  had  used  tagged  collections  as  predicates.  We  now  impose  one  addi¬ 
tional  restriction  on  the  predicates  used  in  the  tagged  collection.  If  Q  is  the  tagged  collection 
([J  k  t>  k:  q.k ),  then 

(V  i,j ,  k,  x  >  q.k.  [xj8  =  q.k\x\j)  (66) 

In  other  words,  Q.k.x  does  not  depend  on  the  element  of  the  partition  to  which  x  belongs. 

( End  of  Restriction.) 

Theorem 

wp  .switchk  =  r*  (67) 

Proof. 

wp. switchk.  Q.x 

=  {  (65)  } 

Q-[x\k. 

=  {  (52):  tagged  collection  as  a  predicate  } 

Q.k.[x\k 

=  {  (66)  } 

Q.k.x 

=  {  (9):  def.  of  r*  } 

(\k-Q)-x 

□ 

Once  again  identifying  a  program  with  its  wp,  we  have 
switchk  =  ft 

Note  that  the  properties  of  functions  discussed  in  section  1  do  not  always  carry  over  to  the  trace 
semantics,  although  they  are  maintained  by  the  weakest  precondition  semantics.  This  can  be  expected, 

since  trace  semantics  are  more  concrete  than  wp  semantics  which  only  refer  to  initial  and  final  states  of  the 

computation.  We  can  derive  additional  properties  using  the  theorems  from  section  1.  For  instance,  we  can 
prove  (from  (10))  that 
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switchk  <p  S  =  S ,  if  p.k 

The  semantics  of  partitioned  state  spaces  can  be  used  in  various  ways.  Defining  the  partition  of  the 
state  space  in  different  ways  can  result  in  semantics  for  different  language  constructs.  The  sections  below 
describe  three  such  partitions  of  the  state  space.  They  use  the  following  partitions: 

1.  For  the  semantics  of  exceptions  presented  in  [7],  a  boolean  coordinate  oc  is  introduced  into  the 
state  which  is  used  to  partition  the  state  space  into  two  subspaces. 

2.  To  extend  the  semantics  presented  in  [7]  to  handle  more  than  one  exception,  we  let  the  oc  coordinate 
be  integer  valued. 

3.  Structured  jumps  use  a  partition  in  which  an  extra  coordinate  label  is  used  to  identify  the  label  of 
the  block  to  which  a  branch  is  to  be  executed. 


3.1.  SEMANTICS  OF  EXCEPTIONS— NORMAL  AND  EXCEPTIONAL  STATES 

In  this  section,  we  relate  the  semantics  presented  in  [7]  to  those  presented  here.  <3  is  used  to  denote  the 
<1  operator  from  [7].  Note  that  in  [7],  there  is  an  underlying  assumption  that  all  programs  begin  in  normal 
states.  The  functions  considered  in  [7]  are  from  D  x  D  D ,  which  is  a  special  case  of  the  generalized 
compositions  presented  here  with  U  =  {0,  1}. 


3.1.0.  FUNCTIONS  OF  TWO  ARGUMENTS 

We  have  the  following  correspondence  between  functions  and  compositions  presented  in  [7]  and  those 
explored  in  this  note.  The  correspondence  follows  from  the  fact  that  the  normal  state  is  identified  with 
0  and  the  exceptional  state  is  identified  with  1. 


Exceptions 

Partitions 

Exceptions 

Partitions 

X 

°  false 

L 

To 

<° 

°[0] 

R 

ti 

°[1] 

[x\ 

Lxjo 

<°) 

° true 

\x] 

Lull 

We  have  that 

•  ,  f  0  if  x.oc  =  _L 
idx  .x  —  < 

1 1  if  x.oc  =  T 

[xjo  =  x[oc  :=  _L] 

[xj  i  =  x[oc  :=  T] 


The  theorems  presented  in  [7]  follow  from  those  presented  here.  In  addition,  we  have  the  following  corre¬ 
spondence: 


nor  =  [0]  o  idx 
exc  =  [1]  o  idx 


3.1.1.  TRACE  SEMANTICS 

The  program  constructs  presented  in  [7]  are  different  from  those  presented  here.  In  particular,  execution 
always  begins  in  the  normal  state,  and  the  try  operator  lowers  the  exception  before  executing  the  exception 
handler.  We  have  the  following  correspondence  between  the  semantics  presented  in  [7]  and  in  this  note. 


Exceptions 

Partitions 

S;  T 

S  <  T 

raise 

skip 

S  <[0]  T 

S  <[i]  ( switch^ ;  T) 
switchi 
{x  >  |xJo} 

Notice  that  the  normal  and  exceptional  states  defined  in  [7]  are  not  symmetric,  a  fact  reflected  in  the 
table  given  above. 
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Theorem 

S  <  T  =  S  <[i]  (switcho;  T ) 

Proof. 

S  <[i]  ( switcho ;  T) 

=  {  (39):  def.  of  <[!]  } 

{s,  x,  t  I  sx  £  5  A  xt  £  ( switcho ;  T)  A  ( [1]  o  idx).x  A  fin.s  >  sxt}  U 
{s  I  s  E  5  A  (inf  .s  V  _1(|1]  o  idx). (last.s))  >  s} 

=  {  -[1]  =  [0]  } 

{s,  x,t  I  sx  £  5  A  xt  £  (switcho;  T )  A  ( [1]  o  idx).x  A  fin.s  >  sxt}  U 
{s  I  s  6  5  A  ( inf.sW  ([0]  o  idx).(last.s))  t>  s} 

=  {  (38):  def.  of  ;  since  switcho  contains  only  finite  traces  of  length  >  1  } 

{s,  t,u,x,y  I  sx  £  S  A  xty  £  switcho  A  p  6  T  A  fin.s  A  ([1]  o  idx).x  >  sxfj/a}  U 
{s  I  s  £  5  A  (inf  .s  V  ([0]  o  idx) .(last .s ))  c>  s) 

=  {  (63):  def.  of  switcho;  t,  y  ■—  e,  [xjo  } 

{s,  u,x  I  sx  £  S  A  [xJom  £  T  A  fin.s  A  ([1]  o  idx).x  t>  sx[xJom}  U 
{s  I  s  £  5  A  (inf  .s  V  ([0]  o  idx). (last. s))  i>  s} 

=  {  switch  to  notation  in  [7]  } 

{s,  a,  x  I  sx  £  5  A  [xj  m  £  T  A  ^in.s  A  exc.x  >  sx  [xj  a}  U 
{s  I  s  £  5  A  ( inf  .s  V  nor.( last.s ))  c>  s} 

=  {  from  [7]  } 

5  <  T 

□ 

3.1.2.  WEAKEST  PRECONDITIONS 

The  semantics  differ  in  the  definition  of  the  weakest  preconditions.  The  reason  for  this  difference  is  that 
[7]  only  considers  programs  that  execute  statements  in  the  normal  state. 

[7]  defines  the  weakest  precondition  of  a  statement  S  given  postcondition  Q  to  be  the  condition  that 
guarantees  that:  the  program  terminates  in  a  normal  state;  on  termination  Q  holds.  As  opposed  to  this, 
we  define  the  weakest  precondition  to  be  the  condition  that  guarantees  that:  the  program  terminates;  on 
termination  Q  holds.  Also,  we  do  not  have  to  apply  wp.S  to  a  pair  as  in  [7],  but  to  a  single  (partitioned) 
predicate. 

3.2.  MORE  THAN  ONE  EXCEPTIONAL  STATE 

If  we  extend  the  semantics  in  [7]  to  n  exceptions,  and  we  define  <^.  to  be  <[*,] ,  then  we  can  use  similar 
correspondences  between  the  constructs  presented  in  this  note  and  [7]  to  obtain  a  semantics  for  programs 
with  more  than  one  exceptional  state. 

3.3.  LOOP  EXITS 

Modula-3  is  an  example  of  a  programming  language  with  exceptions  [10].  A  loop  exit  in  Modula-3  is 
considered  to  be  the  raising  of  an  exception  which  causes  control  to  be  passed  outside  the  loop.  With  the 
semantics  described  in  this  note,  switch j,  can  be  used  to  exit  from  a  loop,  and  wp-semantics  may  be  used  to 
determine  the  condition  which  holds  on  termination  of  the  loop.  We  use  loop  S  end  to  mean  an  infinite 
repetition  of  statement  S,  composed  using  that  is,  S  ■*[*]  S  •  •  • 

(loop  S  end)  E 

In  the  program  given  above,  S'  is  a  statement,  possibly  containing  switch *  statements,  in  which  substatements 
are  composed  using  ^p]- 

Multiple  exits  can  be  defined  using  a  single  exception  handler  which  can  handle  more  than  one  type 
of  exception  using  a  structure  similar  to  the  one  shown  above.  If  there  are  two  possible  exits,  say  k  and  /, 
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switchk  or  switchi  can  be  used  to  exit  the  loop.  The  semicolon  used  to  define  the  loop  now  becomes 

The  exit  exception  handler  can  be  refined  to  handle  the  two  different  exists  separately  as  follows: 
(loop  5  end)  <3[*]v[i]  {{skip  <[*]  £0)  <[,]  £1) 

3.4.  STRUCTURED  JUMPS 

Another  application  of  the  semantics  presented  here  is  to  define  the  meaning  of  a  branch  statement  (cf. 
[1],  [2]).  We  describe  how  a  structured  branching  technique  can  be  implemented  with  two  different  statement 
labels.  For  two  labels,  we  let  U  =  {A,  B,  N ,  £}. 

Let  A  and  B  be  the  branch  labels.  Let  50,  51  be  the  programs  which  are  executed  when  control  is 
transferred  to  labels  A  and  B  respectively,  switch a,  switch g  are  statements  which  transfer  control  from  one 
statement  block  to  another  directly.  The  program  shown  below  implements  such  a  branching  scheme  using 
the  composition  operators  described  in  this  note.  We  assume  that  the  program  starts  executing  50  initially. 
£  is  used  to  terminate  execution,  and  the  semicolon  shown  below  is  defined  to  be  <[jvj.  Substatements 
(if  any)  of  50  and  51  are  composed  using  <1  [a'J  -  The  semicolon  defining  the  loop  is  If  we  interpret 

A  <p  B  <q  C  to  mean  {A  <p  B )  <9  C,  then  the  program  can  be  written  as: 

{switch a  <[Ji]v[s]  loop  skip 

<[^j  (switch^;  50;  switch e) 

<[g]  (switch ;  51;  switch e) 
end  <[£]  switch jv) 

3.5.  DISCUSSION 

In  this  section,  the  semantics  of  partitions  was  introduced  by  imposing  restrictions  on  programming 
language  constructs,  and  introducing  the  switch  statement.  It  was  shown  how  partitions  could  be  used  to 
give  a  semantics  for  exceptions,  loop  exits,  and  structured  jumps.  Notice  that  theorem  (48)  suggests  an 
implementation  of  the  semantics  of  partitions  using  the  IF  statement.  By  showing  how  this  operator  can 
be  used  to  describe  exceptions,  we  have  also  demonstrated  that  a  programming  language  with  exceptions 
would  have  to  check  if  an  exception  had  been  raised  after  the  completion  of  every  statement.  However, 
the  suggested  restrictions  on  programming  languages  — namely,  that  switch  is  the  only  statement  that  can 
change  the  current  partition —  would  enable  a  large  number  of  these  checks  to  be  removed,  since  statements 
that  raise  or  lower  exceptions  could  be  determined  syntactically. 

The  presented  trace  semantics  was  preceded  by  two  attempts.  As  a  first  attempt,  the  trace  semantics 
presented  in  [7]  was  extended  to  allow  raise  to  be  the  left  and  right  identity  of  < .  This  led  to  our  next 
attempt  in  which  we  tried  to  formulate  a  symmetric  semantics  for  exceptions,  lower  was  introduced  as  the 
counterpart  of  raise.  In  this  note  we  have  presented  a  semantics  which  handles  any  partition  of  the  state 
space  uniformly. 

The  results  from  [7]  served  as  the  foundation  for  the  semantics  presented  here.  Other  early  references 
to  semantics  in  particular  semantics  of  exception  handling  are  [3]  and  the  unpublished  [1],  The  formerly 
mentioned  of  these  references  provides  a  good  discussion  of  how  exception  handling  can  simplify  the  structure 
of  certain  programs.  It  gives  separate  predicate  transformers  for  normal  and  exceptional  outcomes,  whereas 
we  do  not  distinguish  between  the  two.  In  [1],  an  arbitrary  number  of  outcomes  is  considered  and  a  structured 
branching  scheme  is  discussed.  In  [7],  wep.S  is  applied  to  a  pair  of  predicates,  whereas  we  only  have  one 
(partitioned)  predicate. 


4.  APPLICATION  AREA:  DATABASES 

For  a  tagged  collection  {[_]  i  >  i:  V .i),  we  may,  in  the  realm  of  databases,  consider  each  i:  V.i  pair  a 
row,  whose  key  is  i.  Then  we  may  want  to  apply  operation  op  to  only  some  of  the  rows,  discriminating  based 
on  the  key.  For  the  selection  of  the  rows,  we  use  a  predicate  over  the  index  set,  usually  denoted  p. 

We  show  some  applications  of  *p d  to  relational  databases  [12].  We  may  think  of  Tag.D  as  the  type  of 
a  keyed  relation,  in  which  some  keys  may  have  no  value.  In  an  actual  database,  that  would  be  represented 
by  the  absence  of  a  row.  Here,  however,  we  need  some  value  associated  with  each  key.  Rather  than  just 
introducing  a  special  value  to  indicate  an  empty  row,  we  let  the  the  tagged  collection  be  over  sets  of  values 
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of  the  rows  in  the  relation  that  is  modeled.  Hence,  we  choose  D  to  be  some  power  set.  This  also  allows  a  key 
to  have  associated  with  it  a  set  of  size  greater  than  1.  If  in  a  tagged  collection,  every  key  is  associated  with 
a  set  of  size  at  most  1,  then  we  say  the  tagged  collection  (or  relation)  to  be  uniquely  keyed.  In  the  sequel, 
we  will  let  “p-rows”  refer  to  those  rows  specified  by  p. 

We  now  have  that 

A  Up  B 

is,  in  terms  of  the  modeled  relations,  A  with  the  p-rows  of  B  added.  Similarly, 

Anp  B 

is  A  in  which  each  p-row  has  been  reduced  so  as  to  only  include  those  values  also  found  in  the  corre¬ 
sponding  row  of  B. 

The  replace  operation  is  written 
A  tpc  B 

The  value  of  this  expression  is  A  with  the  p-rows  replaced  by  the  p-rows  of  B.  In  other  words,  it  is  A 
less  its  p-rows,  plus  the  p-rows  of  B . 

Also,  if  A  and  B  are  uniquely  keyed  relations  and  +  is  some  binary  operation  defined  over  the  values, 
we  can  define  +  over  sets  of  values  as 

{<*}  +  {&}  =  +  b} 

{<*}  +  II  =  M 
{}  +m  =  { b i 

u  +  0  =  0 

With  that  definition,  A-\-p  B  yields  A  in  which  the  values  of  the  p-rows  are  increased  by  the  corresponding 
values  in  B. 

5.  APPLICATION  AREA:  EMBEDDED  SYSTEMS 

Consider  an  embedded  system  which  has  various  priority  levels  numbered  from  0  to  N  —  1.  Level  0 
represents  the  normal  level  of  operation.  All  other  levels  represent  an  emergency  situation  which  must  be 
handled  before  normal  execution  can  resume.  The  levels  1  to  (N  —  1)  represent  different  degrees  of  the  same 
emergency.  After  handling  the  emergency  at  level  k,  the  system  can  lower  the  emergency  to  some  other  level. 
The  state  space  is  extended  with  coordinate  lev  which  indicates  the  current  emergency  level.  We  assume 
that  there  is  some  external  process  that  can  increase  lev  at  any  time.  This  external  process  will  inform  the 
system  of  any  emergency  that  occurs  by  raising  lev. 

We  assume  that  there  exists  an  atomic  lower(m ,  n)  operation  which  can  be  described  as: 
lower(m ,  n )  =  if  lev  <  rn  — lev  :=  n  |  lev  >  m  skip  fi 

We  need  atomicity  of  this  operation  since  the  predicate  lev  <  m  is  not  monotonic  in  lev.  To  enable 
execution  to  resume  in  the  middle  of  a  routine  that  handles  an  emergency,  we  add  the  following  N  coordinates 
pe[0  . . .  N  —  1],  In  addition,  each  routine  has  certain  critical  sections  which  cannot  be  interrupted  no  matter 
what  the  emergency  level  is.  To  handle  these,  we  use  the  semicolon  which  is  defined  to  be  <true.  Initially, 
all  the  newly  introduced  coordinates  are  zero.  We  can  describe  the  system  as  follows: 

SYS  =  loop  skip 

^/ev  =  0  Sq 
<Lei/  =  0  A 

<lev  =  N-  1  $N- 1 

end 

where  Sk  is  defined  as: 

Sk  =  loop  skip 

^  Ze?/=A:Apc[A;]=0  N,0j.Pc[&]  • —  1 
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^lev  —  kApcY^—l  Sk,hPc[k]  • —  2 
^ lev—kApc[k]  —  M—  1  Sk,M—  1  j  P^[A’]  • —  0 

end 

The  semicolon  that  defines  the  loop  for  SYS  is  <hrMe.  The  semicolon  that  defines  the  loop  for  Sk  is 
<iiev=k-  Statements  Skj  are  actions  composed  with  the  semicolon.  Since  semicolon  has  been  defined  to  be 
<1 true ,  these  actions  are  not  interruptible. 

6.  CONCLUSION 

In  this  note,  tagged  collections  and  their  compositions  were  introduced.  These  collections  can  be  viewed 
as  quantified  expressions  and  can  be  used  to  manipulate  lists  and  functions  using  the  existing  properties 
of  quantification  and  one  additional  axiom.  These  tagged  collections  were  used  to  introduce  the  theory  of 
conditional  composition  of  functions,  and  the  conditional  replace  operator. 

These  concepts  were  used  to  describe  the  semantics  of  programming  languages,  and  to  introduce  new 
programming  language  constructs.  We  described  the  semantics  of  partitioned  state  spaces,  which  was  then 
used  to  describe  the  semantics  of  exceptions,  loop  exits,  and  structured  jumps.  The  conditional  replace 
operator  was  used  to  describe  operations  in  relational  databases.  Conditional  composition  was  used  to 
describe  the  operation  of  an  embedded  system  with  priority  levels. 
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